Visualizing Behavior-Tracking Cookies With Firefox

An anonymous reader writes "Using Firefox, and a new (open source) add-on called Collusion, you can see for yourself just how extensive the third-party behavior-tracking system is. Simply leave the Collusion website open, browse the web for a bit, and then return to see that your favorite websites are letting at least four or five behavior tracking companies follow you around the web."

Google Analytics

[cgeys]

Google Analytics is the largest offender in this. There are others, but they have their fingers everywhere. Here on slashdot too.

Re:

[wintercolby]

Yeah, I picked that up from how the advertisements matched things I've searched for on Google, no software necessary.

Re:

[BrokenHalo]

I guess Microsoft might be such an offender if you happen to use Bing search. But since people only do that on TV, we're comparatively safe. Google Analytics is, as you say, a useful tool for webmasters, but for the casual user there's very little impact if you simply block it via hosts file or adblock, other than having to manually type the URL for top-ranked listings into your location bar every now and then.

Re:

[Zaiff Urgulbunger]

Are you saying that GA is tracking users between sites and that data is being used to inform the advertising?

I was under the impression that GA was simply used by webmasters to track their own usage only, which doesn't seem entirely unreasonable. But if the same data is being further exploited then that would be an issue.

Re:

[cgeys]

Their terms of services allow for this, yes.

Re:

[Jah-Wren Ryel]

Are you saying that GA is tracking users between sites and that data is being used to inform the advertising?

Of course it is. To think otherwise is naive at best. Google's sole business model is to provide services in exchange for targeted advertising. They aren't going to give away the GA service for free any more than they give anything else away for free.

Re:

[garyebickford]

IOW, for GA we (our eyes) are the product, not the consumer.

I have had GA blocked in NoScript for a long time. I don't know if it has any real effect, of course. Maybe I'll check out the topic of this /. article just to see if it has any effect. I also blocked doubleclick.net permanently a long time ago after one too many pop-ups. I don't block everything either with NoScript or AdBlock, just those that are offensive, obtrusive and/or creepy. I feel that letting them show me ads is part of the bargain.

Re:

[Zaiff Urgulbunger]

Stupidly I hadn't given it much thought. I'd just assumed that if they (Google) collected any information, it was purely statistical rather than linked to an individual... I feel violated now! :O

Ghostery may help

[Anonymous Coward]

I believe an add-in named Ghostery blocks most of those bugs from tracking your browsing.

Or use Ghostery

[DeHackEd]

Ghostery [ghostery.com] is another Firefox add-on that does much the same, except also supports blocking the cookies.

Re:

[gbjbaanb]

Or RequestPolicy [mozilla.org] which is an easy-to-use plugin that shows you the sites the site you're currently browsing wants to contact. Once you've whitelisted the domains that are really part of the site (eg slashdot.com might have a few elements from slashdot.org) then you can leave the rest safely blocked. And unless you ever visit statcounter.com or similar, they'll never get to see your cookies.

Re:

[cvtan]

Although I appreciate the intent, I am finding RequestPolicy a little difficult to deal with. How do you whitelist things that are "really" part of a site? Some places have 50+ items to wade through. Most sites have pieces that are invisible unless you allow everything. Push on a button and there is a warning that an email from Autoweek is sending you to an Autoweek site. Why is this a concern? You can't tell the bad actors by looking at site redirect names.

Re:

[CastrTroy]

Not only that, but many sites use a CDN to host images, JS, and CSS. So, it's often hard to tell just by domain name what to allow and not allow.

Re:

[kangsterizer]

Step 1: Check "Do Not Track"
Step 2: ???
Step 3: Profit

Alright I know, DNT is not supported everywhere, very far from it (and its voluntary), but ideally one should at least mention DNT.
Google is supposed to follow it afair.

Re:

[surveyork]

1. UN-check "accept 3rd party cookies".
2. Check "keep cookies until I close Firefox".
3. Profit.

Installing Beef TACO, Better Privacy and TrackMeNot may help too. Hey, it's not paranoia if they really are after me.

Re:

[grubwort]

Lots of sites use Flash cookies (LSOs) to track you in addition to the good old fashioned HTTP cookies.

Ghostery does a pretty good job of deleting Flash cookies, but it takes a brutal all-or-nothing approach; it'll delete them all if you enable the option.

If you want finer control over your Flash cookies you'll also need Better Privacy [mozilla.org]. Now you can save your progress when playing Kongregate games but not get tracked while you do so :)

Broken Web site.

[John Hasler]

When I go there with Firefox 4.0 I see a block of text overprinted by a menu.

Re:

[Anonymous Coward]

4.0? Try using an up-to-date browser like Firefox 3.6!

Re:Broken Web site.

[KiloByte]

This is not flamebait: 3.6 has security support, 4.0 is EOLed already. And 3.5 has third-party support from Debian and Red Hat for long years to come.

Re:

[gknoy]

Wait, really? (Oh wait, we're on Firefox 5 now. I didn't even realize it. Thanks.)

Re:

[surveyork]

B*tches don't know about my Fx Nightly 8. Nor about Fx 9 scheduled for December 2011.

Enable ads on slashdot

[cultiv8]

Not *too* bad, only [privacychoice.org] three [privacychoice.org] entities [privacychoice.org] tracking /.'ers.

Big deal, you think?

[arisvega]

Then use Adblock Plus, NoScript, header spoof and allow session-only cookies from specific sites only. Apart from IP profiling, there is not much mainstream techniques one of said sites can use for tracking.

Re:

[Lennie]

Look up Evercookie, I'm sure it still has some techniques that still work.

How about E-Tag. I don't think any tracking company uses that right now, but it could be.

Hosts file

[drooling-dog]

There are over 10,000 entries in my /etc/hosts file pointing to 127.0.0.1, and this is the main reason why.

Re:

[Anonymous Coward]

share?

Re:

[Abstrackt]

You can download one from here [mvps.org] It's about 600kb and works fairly well.

Re:

[trifish]

LOL That must have been a shitload of work to get that blacklist together, let alone maintain it. What about white-listing instead?

There is a very promising Firefox addon, that does exactly that.

https://www.requestpolicy.com/ [requestpolicy.com]

No third party will ever track you again, unless you explicitly allow their domain name.

Re:

[Lennie]

I've been using it for years. Although you pretty much need be a webdeveloper if you don't enable the pre-configured whitelist to know what and what not to enable.

Re:

[Derek Pomery]

Much more efficient to use a local dns cache.
I use tinydns/dnscachex locally, Apart from doing lookups for my domain, it relays everything to opendns except for domains or subdomains that are nosy bastards.

And you can always layer on a host file if necessary. But doing a *.doubleclick.net is much more efficient.

Re:

[Derek Pomery]

Oh, and of course, that way it applies to all the local computers without the need for copying hosts files.

Re:

[gknoy]

I wanted to do that, and had a bear of a time trying to get my server to handle things correctly INSIDE my NAT while also resolving things correctly OUTSIDE the NAT. Eventually I gave up and have foo*.dyndns.org. :(

* Not my actual domain.

Re:

[Derek Pomery]

dnscachex can specify servers for arbitrary domains. If you want some stuff to be internal only and don't want to mess about with replication, just run a 2nd DNS server on a specified local interface (maybe an alias), and point dnscachex at that for that domain.

Or of course, you could just put your local records in your DNS, and not worry about it.

Re:

[Derek Pomery]

Oh, and 255.255.255.255 works nicely. Resolve them to that and the lookups fail immediately with no delays.

Re:

[Idbar]

Perhaps on Linux this is a simpler task and works well for you. Windows (at least XP), on the other hand, takes forever to parse that file. I had to disable that mechanism to block websites, because it was messing with the whole networking behavior.

Spybot uses this mechanism to block malware-sites, and I had at some point to disable it for that reason too.

Re:

[TheTyrannyOfForcedRe]

There are over 10,000 entries in my /etc/hosts file pointing to 127.0.0.1, and this is the main reason why.

I changed my hosts file to send everything to 127.0.0.1. Now all I see is porn. Did I do something wrong?

Use Permit Cookies

[JSmooth]

Permit Cookies is very useful (need to disable extension checking and it works with FF5) in limiting tracking while still providing a usable web experience. It turns all cookies into session cookies that are gone when you close the browser and has a shortcut to override for sites that you do want to allow permanent cookies to be set. When I restart my browser I am a new person. For complete protection I also use NoScript, Ghostery and Better Privacy.

https://addons.mozilla.org/en-US/firefox/addon/permit-cookies/ [mozilla.org]

Re:

[CastrTroy]

Firefox has this option a standard feature. Go to Tools(Edit) -> Options(Preferences) and go to the Privacy Tab. Select "Use Custom Settings For History". You can choose to delete cookies as soon as the browser is closed, making all cookies into session cookies. You can then use the exceptions button to configure sites that you want to allow to store cookies for longer.

Proprietary software. I wouldn't trust it.

[ciaran_o_riordan]

Here's the entire licence file of the software they tell you to install to protect your privacy:

All source code, images and other intellectually property in this extension is owned by or licensed to privacychoice LLC. It may not be used in any way with written permission. Copyright © 2011 privacychoice LLC

If no one can modify it, that means it's unlikely that anyone will bother looking at the source code. There's no community verifying or improving the privacy of this software. There has to

The typo is also their property

[ciaran_o_riordan]

(I just noticed that their licence notice doesn't make any sense. I presume they meant to write "with*out* written permission")

I just went looking for free alternatives but NoScript is all I found!

* https://addons.mozilla.org/en-US/firefox/addon/noscript/ [mozilla.org]

TrackerBlock, BetterPrivacy, and Ghostery all seem to be proprietary software. What a disappointment.

FSF maintain a list of free mozilla-compatible plugins:
http://www.gnu.org/software/gnuzilla/addons.html [gnu.org]

I see one free plugin that I haven't tinkered with:

How is this legal?

[ArgumentBoy]

Seriously - how is this legal? People can't wiretap me without a warrant, they can't look into the windows of my house, and they can't read my (paper) mail. I don't accept a EULA for web sites and no one owns the internet. Why isn't this hacking?

Re:

[Haedrian]

People can't wiretap me without a warrant,

Not American eh?

I don't accept a EULA for web sites and no one owns the internet. Why isn't this hacking?

If you look at the bottom of sites, they generally have terms and conditions which you are following by using the website. Its not akin to someone looking into your house, its akin to the cashier person looking at your purchases at the supermarket and next time offering you something you might like. You're using their website/advertising service and they're seeing what works.

Re:

[Lennie]

EULA's are pretty much illegal anyway, atleast in my country.

Re:

[vux984]

I really have no objection to websiteX tracking my movements through websiteX.

I don't see why I should have to submit to Google tracking my movements through websiteX, websiteY, websiteZ, and half a million other sites though.

The closest thing we have right now to this in the real world is VISA. But they only track your purchases, not everywhere you go. And it is pretty easy to simply not pay for everything with VISA and avoid being tracked.

Its not akin to someone looking into your house, its akin to the ca

Re:

[garyebickford]

I listened to a keynote speech by a futurist at the 2001 O'Reilly Open Source Conference in Monterey California. He was talking about how existing technology would be used. Among other things, when you went to the mall face recognition systems (along with other stuff like wi-fi and bluetooth snooping) would attempt to figure out who you are. You would have HW that tries to prevent that by jamming or other means. Then as you walk down the entry hall, floating holographs would appear in front of you with

Re:

[garyebickford]

A majority of sites that I go to (especially news sites) do not work correctly unless both cookies and javascript (at least _their_ javascript, plus maybe Google API, if not a bunch of third party javascript). And the pool of sources for that stuff that is required to make things work is expanding at a high rate. So one can not just block all cookies all the time. So one has to allow or disallow on a site-by-site basis. Installing the extensions (NoScript, Adblock, et al) is the easy part. After that i

Re:

[Haedrian]

Here's what you agreed with when you used /.

http://geek.net/privacy-statement [geek.net]
http://geek.net/index.php/terms-of-use/ [geek.net]

"Web beacons

Geeknet uses web beacons from time to time. Such web beacons may be provided by Geeknet’s third party advertising companies to help manage and optimize Geeknet’s online advertising. To opt out of targeted advertising delivered by Network Advertising Initiative members, click here: http://www.networkadvertising.org/consumer/opt_out.asp [networkadvertising.org] ... "

Re:

[am 2k]

I wonder whether that's legal, since you can't get to that page without getting tracked already.

Re:

[John Hasler]

How is what legal? Offering to send you a cookie and then sending it when you request it? The Web sites didn't configure your browser to silently accept and pass on cookies. No site can store or read back anything from your computer without active cooperation from your browser, which is entirely under your control.

Cookie Monster and NoScript

[Anonymous Coward]

Others have mentioned various add ons which can be used to prevent tracking. Personally I use the Firefox addons Cookie Monster, and NoScript.

Cookie Monster has a number of options, including the one I use which is deny all cookies by default. I then enable for the few sites that I visit regularly that require cookies. You can also temporarily websites to set cookies, and that permission is revoked when you next start Firefix.

NoScript is used in a similar way. I block all JavaScript by default. I then enabl

Re:

[Lennie]

You don't need to be firefoxless, pretty much anyone can install it. There is even a version for OS/2

delete cookies every time I quit or press a button

[canoeberry]

I delete all my cookies except a few every time I close my browser. That works in Chrome, Safari and Firefox now. In chrome I press a button to remove the cookies it would delete if I exited right now. I checked the advertising sites and they don't know me. Google knows me for as long as I keep my browser window open. Facebook doesn't follow me around on the web either. I use the Vanilla plugin for chrome. Hope that's good enough.

Re:

[Synerg1y]

to build on this, disabling 3rd party cookies, clearing the cache on browser close, and checking the new but not fully implemented do not track checkbox in firefox are all great ways to prevent tracking.

NoScript

[Krneki]

kkthxbye

Re:

[Anon8---)]

Doesn't block cookies afaik and collusion showed me that pretty well.

Re:

[Krneki]

No need, if you block those pages from loading then you won't allow them access to the cookies in the first place.

Re:

[Anon8---)]

I tried that. I forbade AdBrite, Facebook, Google Syndication and many other scripts, yet when I checked Occlusion's graph and my cookies, cookies of those blocked sites existed. After installing Ghostery most of them [cookies] weren't created and Occlusion didn't register them.

Is there a setting in NoScript I'm missing besides the "Forbid x" ?

off the grid

[Gravis Zero]

we all know that excluding trackers ends up being a game of whack-a-mole. you block some trackers and more will show up when you aren't looking. the solution is simple: whitelisting.

cookies
whitelisting cookies is a must because good guys, bad guys and even the oblivious have sites that want to store cookies on your system.

JavaScript
JavaScript is a lesser offender but noscript [mozilla.org] can help you here.

flash
the most insidious of cookies are flash cookies. some argue flash is the most insidious in it's own righ

Maybe it's broke, I don't see any dots ;)

[laslo2]

I don't see any collusion dots when I browse the web. I don't see any ads either. Zero.

Of course, the addons I have tacked onto Firefox might have something to do with that (Adblock Plus, AdblockPlus Pop-up addon, BetterPrivacy, Certificate Patrol, Cookie Monster, Element Hiding Helper for Adblock, HTTPS Finder, HTTPS-everywhere, Ghostery, and NoScript).

I've been adding to my Adblock Plus filter list for about a year and a half as well.

I won't make the claim that I'm not being tracked by someone with more K

Adblock and noscript close, except....

[wiresquire]

...the problem I find a lot nowadays, is that a lot of sites require you to allow scripts from 3rd party domains, eg, googleapis, for the site to actually work.

So, naturally by allowing this you can be tracked.